CVE-2024-45516

high-risk

Published 2025-05-14

An issue was discovered in Zimbra Collaboration (ZCS) 9.0.0 before Patch 43, 10.0.x before 10.0.12, 10.1.x before 10.1.4, and 8.8.15 before Patch 47. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, including malformed <img> tags with embedded JavaScript. The vulnerability is triggered when a user views a specially crafted email in the Classic UI, requiring no additional user interaction.

Do I need to act?

0.28% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Zimbra Collaboration Suite

Affected Vendors

Synacor

References (4)

Vendor Advisory https://wiki.zimbra.com/wiki/Security_Center

Release Notes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.4#Security_Fixes

Product https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy

Vendor Advisory https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

/ 100

high-risk

Severity 23/34 · High

Exploitability 1/34 · Minimal

Exposure 30/34 · Critical